Welcome to SaaS thoughts

Whether you call it Software as a Service (SaaS), Managed Service Provider (MSP) or On-Demand Services, your organization uses the service running “in the cloud”. This blog will discuss these services, their benefits, drawbacks and operations. Are we biased? Yes. We believe that some services make sense for most organizations. Email security is one of those. However as Mark Twain said, “All generalizations are false, even this one.” Each Tuesday we will post information and questions about Software as a Service. Occasionally, we will have a "Guest Post" from either a consultant or vendor posting her/his thoughts on Managed Services generally as well as some degree of specificity based on her/his unique perspective. We encourage your insights, comments and feedback. Welcome.

Introduction

Some people are concerned that they will lose control over their data when the service gets “managed.” Who controls your data? Who has access to your data? How secure is your data? In a large part, that depends largely on which service you use.

Managed data vs. service

When an organization uses a managed service, the questions of concern are:

Where is the data stored?

Who has valid access to it?

Who has inappropriate access to it?

Data stores

In the case of some types of managed services, the data is indeed stored outside your facilities. Companies such as Salesforce host your data on their servers. For the purpose of this discussion, the benefit of this centralized storage is that anyone with a browser can access your data with proper authentication credentials. That’s the concern isn’t it? Who has access to your data?

Questions to ask in considering this type of managed service are,

Who has (or can fake) the proper credentials to gain access to your data?

What steps is the vendor taking to ensure your data is only accessed by authorized personnel?

Where is the audit trail on access to the data and how secure is that?

For the managed service provider to be successful (and Salesforce is), it have to answer these questions successfully for every customer. In fact, the data stored at a successful managed service provider is probably more protected than the data centers of the vast majority of their customers. At some point, the potential customer realizes that the weak link is not the managed service provider but, the personnel using the service; just like data stored in-house.

Data backup service

In the case of on-line backups (Internet vaulting), the data store is an off-site backup of the live data at the customer’s facility. The data is usually compressed and encrypted with two 128-bit public/private keys: the customer’s and the vendor’s. The data vault vendor typically does not even have the customer’s keys. Retrieval of the data without the both key pairs is virtually impossible and secure enough for the business to feel comfortable. Like the live data stored by a managed service provider, this data must be stored in a redundant set of servers across secure facilities with the data mirrored among servers and facilities.

One of the minor tragedies (compared to the loss of life and property) of 9/11 is that some companies thought that “off-site data storage” meant they could store the data in the “other” tower. The thought that both towers could go down was inconceivable. Now, many specifications for data vaulting require that the data center must be at least 100 miles away from the client and at least 100 miles away from any other data center. <shameless plug>The data centers used by Webroot’s Email Security and Archiving Service are on different continents. </shameless plug>

Data archiving service

The terms data or email archiving applies to data or email that is not designed to be restored back to replace a failed data storage device on site. Instead, the data is in a database which while searchable, is not restorable. This service is most often done for regulatory compliance. Again as above, the data must be highly secure and stored in mirrored and redundant storage sites.

Data management/processing service

In this instance, data is not stored permanently at the SaaS supplier’s facility but is processed and passed. Email security is an obvious example. Email is cleansed and forwarded to the email server; not stored permanently. There is no less need for data security in these instances than when data resides in the centralized data center.

Control

So, who controls the data? If the data is permanently stored at a data center, both you and the data center do but, very different kinds of control. You control the data, the data center controls the physical equipment and infrastructure holding your data. These data centers live or die on the security they provide for the customer’s data. I know of data centers that have concentric rings of secure physical access to the server farm.

ID checking against an authorized list for access to the building

Pass key or tokens beyond the lobby (with an escort for visitors)

Fingerprint or palm scanning to get into the data center

Retinal scanning to gain access to the server farm itself

Talk about a scene from “Mission Impossible”!

The idea is to give the client the comfortable feeling that the data center is unassailable. To gain access to the data, you would still have to have valid authentication to a company’s data. It’s a lot easier to gain access to data via a browser from outside. Which is more likely to be the cause of a data security leak? The customer. Just like data in your data center.

One Person has left comments on this post

We often get the statement “I want to retain control and feel in house i’ll have more control” from prospective clients, which is a valid concern. However once we show the level of granularity and control they have and that our filtering service actually is like having it on the network without all the management and resiliance issues they fast come around to the fact that control is not an issue. To anyone concerned of the form factor difference between in house and a filtering service I would recommend and encourage they take a free demo walkthrough or trial to validate and I think they will be surprised. We have many customers who claim they get far greater control than they ever did with their on network solutions.